Paypal Fills Phishing Hole

Online payment company PayPal reports that it has fixed a Web site glitch through which the operators of a phishing scheme based in South Korea had been attempting to steal customers' personal data.

Online payment company PayPal reported on June 16 that it has fixed a Web site glitch through which the operators of a phishing scheme based in South Korea had been attempting to steal customers personal data.

The phishers tried to lure users to a URL hosted on PayPals legitimate Web site that had been altered with a so-called cross-site scripting attack. Using such attacks, criminals seek vulnerabilities in Web pages and add their own code to append their own content to the sites or redirect users to other fraudulent sites.

On visiting the PayPal page in question, users were presented with a message that said their accounts had been locked due to unauthorized access and asked them to wait while they were redirected to an account "resolution center." After a short delay, users were redirected to an external server that presented them with a fake PayPal URL and member log-in interface.

Those who logged in to the fake site passed their account information on to the fraudsters, who also presented visitors with a second page asking individuals to relax user control settings on their PayPal accounts and share even more personal information, including their Social Security numbers, credit card numbers and ATM PINs.

PayPal is working with the South Korean ISP hosting the criminal site. PayPal officials said it is impossible to estimate how many people had visited the altered Web page but indicated the company has not received a large number of inquiries from members.

PayPal is encouraging any concerned customers who may have accessed the fraudulent sites to change their log-in passwords. For any customers whose information is stolen and misused, PayPal said it is also offering to reimburse the full amount of any related losses. PayPal has added the phishing URL to its security tool bar, preventing users of the browser-borne application from accessing the site altogether.